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Abstract 

Onion  routing  is  a  scheme  for  anonymous  communication  that  is  designed  for  practical  use.  It  has 
not  been  modeled  formally,  however,  and  therefore  its  anonymity  guarantees  have  not  been  rigorously 
analyzed.  We  give  an  lO-automata  model  of  an  onion-routing  protocol  and,  under  possibilistic  definitions, 
characterize  the  situations  in  which  anonymity  and  unlinkability  are  guaranteed. 


1  Introduction 

Anonymity  networks  allow  users  to  communicate  while  hiding  their  identities  from  one  another  and  from 
third  parties.  We  would  like  to  design  such  networks  with  strong  anonymity  guarantees  but  without  incurring 
high  communication  overhead  or  much  added  latency.  Designs  have  been  proposed  [4,  5,  9,  18,  13,  6,  10,  1] 
that  meet  these  goals  to  varying  degrees. 

Onion  routing  [11,  17,  20]  is  a  practical  anonymity-network  scheme  with  relatively  low  overhead  and 
latency.  Several  implementations  have  been  made  [17,  20],  and  it  was  even  a  basis  for  a  commercial  system 
[2].  A  recent  iteration  of  the  basic  design  is  the  Tor  system  [9].  Tor  has  been  implemented  and,  as  of  June 
2006,  consists  of  over  600  routers,  each  processing  an  average  of  over  7GB  of  traffic  a  week. 

However,  because  onion  routing  is  a  practical,  rather  than  theoretical,  design,  rigorous  guarantees  of  the 
anonymity  it  provides  have  not  been  made.  To  this  end,  we  propose  a  formal  model  of  onion  routing,  based 
on  the  connection-oriented  Tor  protocol,  using  10  automata.  We  then  suggest  possibilistic  definitions  of 
anonymity  and  unlinkability  within  this  model  and  provide  necessary  and  sufficient  conditions  for  them  to 
be  provided  to  a  user. 

2  Analyzing  Onion  Routing 

An  onion-routing  network  consists  of  a  set  of  onion  routers.  To  send  data,  a  client  chooses  a  sequence  of 
routers,  called  a  circuit,  through  which  the  data  will  be  routed.  Each  packet  is  encrypted  multiple  times 
before  sending,  once  for  each  router  in  the  circuit  and  in  reverse  order  of  the  routers’  appearance  in  the 
circuit.  This  layered  structure  is  called  an  onion.  Encryption  can  be  done  with  a  private  key  that  is  shared 
with  each  router  or  with  the  public  key  of  each  router.  Each  router  uses  its  key  to  decrypt  the  onion  as  it  is 
forwarded  through  the  circuit.  The  onion  structure  helps  the  sender  to  hide  the  data  contents  from  all  but 
the  last  router  in  the  circuit,  and,  because  the  decryption  changes  the  data  representation,  the  onion  also 
makes  it  harder  for  a  network  observer  to  follow  the  path  the  data  takes  through  the  network. 

There  has  been  work  done  to  analyze  the  effectiveness  of  onion  routing.  Syverson  et  al.  [21]  consider  a 
system,  similar  to  Tor,  under  various  configurations  and  adversary  models.  They  examine  the  probability 
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that  certain  types  of  anonymity  compromises  occur,  but  leave  open  whether  other  types  are  still  possible. 
Camenisch  and  Lysyanskaya  [3]  give  a  cryptographic  definition  of  a  connectionless  version  of  onion  routing 
and  prove  that  the  cryptography  it  uses  doesn’t  leak  any  information  to  the  onion  routers  other  than  the 
previous  and  next  routers.  Mauw  et  al.  [15]  do  an  analysis  of  connectionless  onion  routing  that  is  very 
similar  to  the  analysis  done  in  this  paper.  Their  model  is  expressed  in  a  process  algebra.  They  use  a 
possibilistic  definition  of  anonymity,  and  show  that  onion  routing  provides  sender  and  receiver  anonymity 
against  a  passive  global  adversary. 

Our  approach  is  to  formalize  an  onion-routing  protocol  with  a  network  of  automata.  The  protocol  is 
based  on  Tor.  We  consider  the  case  of  an  adversary  controlling  a  fixed  set  of  routers  that  are  allowed  to  run 
any  arbitrary  automata.  Then  we  show  that  this  adversary  cannot  distinguish  among  certain  user  circuit 
configurations.  In  particular,  the  adversary  cannot  determine  which  user  owns  a  circuit  unless  the  adversary 
controls  the  first  hop.  The  set  of  users  which  have  an  uncompromised  first  hop  form  a  sender  “anonymity 
set,”  among  which  the  adversary  cannot  distinguish.  Similarly,  the  adversary  cannot  determine  the  last 
router  of  a  circuit  unless  it  controls  it  or  the  penultimate  router.  Such  circuits  provide  receiver  anonymity. 
These  two  results  justify  considering  only  those  cases  considered  in  [21].  Also,  a  user  is  “unlinkable”  to 
his  destination  when  he  has  receiver  anonymity  or  his  sender  anonymity  set  includes  another  sender  with  a 
destination  that  is  different  or  unknown  to  the  adversary. 

We  only  consider  possibilistic  anonymity  here.  An  action  by  user  u  is  considered  to  be  anonymous 
when  there  exists  some  system  in  which  u  doesn’t  perform  the  action,  and  that  system  has  an  execution 
that  is  consistent  with  what  the  adversary  sees.  The  actions  for  which  we  consider  providing  anonymity 
are  sending  messages,  receiving  messages,  and  communicating  with  a  specific  destination.  A  more  formal 
treatment  of  this  anonymity  concept  is  given  by  Halpern  and  O’Neill  [12].  We  do  not  consider  our  system 
probabilistically,  as  is  required  in  more  refined  definitions  of  anonymity  [19,  7].  It  is  possible  to  examine 
probabilistic  definitions  within  our  system  by  defining  a  probability  measure  over  executions,  as  discussed 
in  [12],  or  over  initial  states. 


3  Model 

3.1  Distributed  system 

Our  model  of  onion  routing  is  based  on  10  automata  [14].  This  formalism  allows  us  to  express  an  onion¬ 
routing  protocol,  model  the  network,  and  make  precise  the  adversary’s  capabilities.  One  of  its  benefits  is 
that  it  models  asynchronous  computation  and  communication.  Another  is  that  every  action  is  performed  by 
a  single  agent,  so  the  perspective  of  the  adversary  is  fairly  clear. 

Model  onion  routing  as  a  fully  connected  asynchronous  network  of  10  automata.  The  network  is  composed 
of  FIFO  channels.  There  is  a  set  of  users  U  and  a  set  of  routers  R.  Let  N  =  U  U  R.  We  use  the  term  agent 
to  refer  to  an  element  of  N.  It  is  possible  that  U  R  ^  In  this  case,  user  and  router  automata  exist  on 
the  same  processor.  We  assume  that  the  users  all  create  circuits  of  a  fixed  length  1. 

Each  router-and-user  pair  shares  a  set  of  secret  keys;  however,  the  router  does  not  know  which  of  its 
keys  belong  to  which  user.  We  assume  that  all  keys  in  the  system  are  distinct.  This  separates,  for  now,  key 
distribution  from  the  rest  of  the  protocol.  Let  K  be  the  keyspace. 

Let  P  be  the  set  of  control  messages,  and  P  be  the  extension  of  P  by  encryption  with  up  to  I  keys.  The 
control  messages  will  be  tagged  with  a  link  identifier  and  circuit  identifier  when  sent,  so  let  the  protocol 
message  space  be  M  =  N+  x  N+  x  P.  We  denote  the  encryption  of  p  G  P  using  key  k  with  {p}k,  and 
the  decryption  with  {p}-fc.  For  brevity,  the  multiply  encrypted  message  {{p}ki}k2  will  be  denoted  {p}ki,k2- 
Brackets  will  be  used  to  indicate  the  list  structure  of  a  message  {i.e.  [pi,p2,  ■  ■ .]). 

The  adversary  in  our  system  is  a  set  of  users  and  routers  A  C  N.  The  adversary  is  active  in  the  sense 
that  the  automata  running  on  members  of  A  are  completely  arbitrary.  We  call  an  agent  a  compromised  if 
a  ^  A 
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3.2  Automata 


We  give  the  automata  descriptions  for  the  users  and  routers  that  are  based  on  the  Tor  protocol  [9] .  We  have 
simplified  the  protocol  in  several  ways.  In  particular  we  don’t  perform  key  exchange,  do  not  use  a  stream 
cipher,  have  each  user  construct  exactly  one  circuit  to  one  destination,  do  not  include  circuit  teardowns, 
eliminate  the  final  unencrypted  message  forward,  and  omit  stream  management  and  congestion  control.  We 
are  also  using  circuit  identifiers  to  mimic  the  effect  of  a  timing  attack.  Section  4.7  discusses  the  effects  of 
changing  some  of  these  features  of  our  protocol. 

During  the  protocol  each  user  u  iteratively  constructs  a  circuit  to  his  destination,  u  begins  by  sending 
the  message  {CREATE}):^  to  the  first  router,  ri,  on  his  circuit.  The  message  is  encrypted  with  a  key,  ki, 
shared  between  u  and  ri.  ri  identifies  ki  by  repeatedly  trying  to  decrypt  the  message  with  each  one  of  its 
keys  until  the  result  is  a  valid  control  message.  It  responds  with  the  message  CREATED. 

Given  a  partially-constructed  circuit,  u  adds  another  router,  r*,  to  the  end  by  sending  the  message 
{[EXTEND,  Ti,  {CREATE}fcJ}fci_i,...,fei  down  the  circuit.  As  the  message  gets  forwarded  down  the  circuit, 
each  router  decrypts  it.  ri_i  performs  the  CREATE  steps  described  above,  and  then  returns  the  message 
{EXTEND ED}fc^_,^.  As  the  message  gets  forwarded  back  up  the  circuit,  each  router  encrypts  it. 

Link  identifiers  are  used  by  adjacent  routers  on  a  circuit  to  differentiate  messages  on  different  circuits. 
They  are  only  unique  to  the  pair.  Circuit  identifiers  are  also  included  with  each  message  and  identify  the 
circuit  it  is  traveling  on.  They  are  unique  among  all  circuits.  Circuit  identifiers  are  not  used  in  the  actual 
Tor  protocol,  and  their  only  purpose  here  is  to  represent  the  ability  of  an  adversary  to  insert  and  detect 
timing  patterns  in  the  traffic  along  a  circuit.  Since  the  model  does  not  include  time,  but  timing  attacks  are 
very  real  [16],  this  is  a  way  to  give  the  adversary  this  power.  It  has  the  advantages  of  making  it  clear  when 
this  power  is  used  and  of  being  easy  to  remove  in  future  model  adjustments. 

The  user  automaton’s  state  consists  of  a  routing  circuit,  a  number  that  identifies  its  circuit,  and  a  number 
that  indicates  the  state  of  that  circuit.  We  consider  the  final  router  in  the  circuit  to  be  the  destination  of 
the  user.  The  user  automaton  runs  two  threads,  one  that  is  called  upon  receipt  of  a  message  and  the  other 
that  is  called  at  the  start  of  execution.  To  be  concise,  we  will  express  these  in  pseudocode  rather  than  10 
automata,  but  it  should  be  noted  that  the  state  changes  in  a  particular  branch  occur  simultaneously  in  the 
automaton.  h(c,i)  indicates  the  number  of  occurrences  of  the  ith  router  in  the  first  i  routers  of  a  circuit  c. 
(m,  r,  i)  denotes  the  zth  key  shared  by  user  u  and  router  r.  The  automaton  for  user  u  appears  in  Automaton 
1. 

The  router  automaton’s  state  is  a  set  of  keys  and  a  table,  T,  with  a  row  for  each  position  the  router 
holds  in  a  circuit.  Each  row  stores  the  previous  and  next  hops  in  the  circuit,  identifying  numbers  for  the 
incoming  and  outgoing  links,  and  the  associated  key.  There  is  only  one  thread  and  it  is  called  upon  receipt 
of  a  message.  We  denote  the  smallest  positive  integer  that  is  not  being  used  on  a  link  from  r  to  g  or  from  q 
to  r  as  minid{T,  q).  The  automaton  for  router  r  appears  in  Automaton  2. 

3.3  System  execution 

We  use  the  standard  notions  of  an  execution  and  fairness.  An  execution  corresponds  to  a  possible  run  of 
the  network  given  its  initial  state.  Fairness  in  our  model  simply  means  that  any  message  an  automaton 
wants  to  send  will  eventually  be  sent  and  that  every  sent  message  is  eventually  received.  Usually,  the 
fairness  condition  makes  it  easier  to  design  distributed  algorithms;  however,  in  our  case,  fairness  makes  it 
more  difficult,  because  it  restricts  the  executions  that  the  adversary  must  consider  when  trying  to  break 
anonymity. 

We  also  introduce  the  notion  of  a  cryptographic  execution.  This  is  an  execution  in  which  no  agent  sends 
a  control  message  encrypted  with  active  keys  it  doesn’t  possess  before  it  is  sent  that  encrypted  message. 
We  will  restrict  our  attention  to  such  executions  and  must  appeal  to  computational  intractability  to  justify 
this  restriction.  Our  encryption  operation  must  only  allow  an  attacker  to  output  a  control  message  in  P 
encrypted  with  active  keys  it  doesn’t  possess  with  negligible  probability.  This  is  reasonable  because  we  can 
easily  create  a  ciphertext  space  that  is  much  larger  than  the  rather  limited  control  message  space  P.  Note 
that  this  precludes  the  use  of  public  key  encryption  to  construct  the  onions  because  such  messages  can  easily 
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Automaton  1  User  u 

1 

c  G  {(ri, . . .  ,n)  G  i?'  V^ri  yf  ri+i};  init:  arbitrary 

>  User’s  circuit 

2 

i  G  N;  init:  random 

>  Circuit  identifier 

3 

5  G  N;  init:  0 

>  Next  hop  to  build 

4 

procedure  Start 

5 

send(ci,  [f,0,{CREATE}(„_ci.i)]) 

6 

b=  1 

7 

end  procedure 

8 

procedure  MESSAGE(TOS(/,j) 

i>  msg  G  M  received  from  j  €  N 

9 

if  j  =  Cl  then 

10 

if  6  =  1  then 

11 

if  msg  =  [i,  0,  CREATED]  then 

12 

b+  + 

13 

send(ci,  [i,  0,  {[EXTEND,  Cb,  {CREATE}( 

u,,c^,h(c,b))W  ,h(c,b—l)),. 

14 

end  if 

15 

else  if  &  <  ?  then 

16 

if  msg=  [z,0,{EXTENDED}(„_c^_^_^(c,h_i)),. 

thGn 

17 

b+  + 

18 

send(ci,  [i,  0,  {[EXTEND,  ct,  {CREATE}( 

19 

end  if 

20 

else  ii  b  =  1  then 

21 

if  msg=  [z,0,{EXTENDED}(„_ct_i,/i(c.6-i)),. 

thGn 

22 

b+  + 

23 

end  if 

24 

end  if 

25 

end  if 

26 

end  procedure 

be  constructed  with  the  public  keys  of  the  routers. 

Definition  1.  An  execution  is  a  sequence  of  states  of  an  10  automaton  alternating  with  actions  of  the 
automaton.  It  begins  with  an  initial  state,  and  two  consecutive  states  are  related  by  the  automaton  transition 
function  and  the  action  between  them.  Every  action  must  be  enabled,  meaning  that  the  acting  automaton 
must  be  in  a  state  in  which  the  action  is  possible  at  the  point  the  action  occurs.  Because  there  are  no 
internal  actions  in  the  automata,  all  actions  are  message  sends  or  message  receives.  Frequently,  we  will  treat 
an  execution  as  a  sequence  of  actions,  because  the  states  are  implicit  from  these  and  the  initial  states. 

Definition  2.  A  finite  execution  is  fair  if  there  are  no  actions  enabled  in  the  final  state.  Call  an  infinite 
execution  fair  if  every  output  action  that  is  enabled  in  infinitely  many  states  occurs  infinitely  often. 

Definition  3.  An  execution  is  cryptographic  if  no  user  or  router  sends  a  control  message  in  P  encrypted  by 
a  key  it  does  not  possess  before  receiving  that  message  at  least  once.  More  formally,  no  router  r  sends 
a  message  [n,  {p}(u,qi,ni),...,(uk,qk,nk)]  G  where  r  qi,  for  some  i,  and  no  user  u  sends  a  message 
[n,  {p}(vi,ri,ni),...,ivk,rk,nk)]i  u  Vi,  for  some  i,  before  it  receives  a  message  of  that  form. 

3.4  Distinguishability 

The  actions  we  want  to  be  performed  anonymously  are  closely  related  to  the  circuits  the  users  try  to  construct 
during  an  execution. 

Definition  4.  A  configuration  C  :  U  ^  {{ri, . . .  ,ri,n)  G  x  N+IV^ri  yf  ?’i+i}  maps  each  user  to  the  circuit 
and  circuit  identifier  in  his  automaton  state. 
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Automaton  2  Router  r 

1 

keys  G  AT",  where  n  >  |[/|  •  init:  arbitrary 

>  Private  keys 

2 

TciVxNxRxZx  Z|fcgyg|;  init:  0 

>  Routing  table 

3 

procedure  Message( [i,n,p\,q) 

>  [i,n,p]  G  M  received  from  q  G  N 

4 

if  [q,  n,  0,  —1,  k]  GT  then 

t>  In  link  created,  out  link  absent 

5 

if  3seR-r,bePP  =  {[EXTEND,  s,  &]}fc  then 

6 

SENd(s,  [minid{T,  s),  b]) 

7 

T  =  T  —  [q,n,  0,  —1,  k]  +  [q,  n,  s,  —minid{T,  s),  k] 

8 

end  if 

9 

else  if  [s,  to,  q,  —n,  k]  G  T  then 

>  In  link  created,  out  link  initiated 

10 

if  p  =  CREATED  then 

11 

T  =  T  —  [s,m,  q,  —n,  k]  +  [s,  to,  q,  n,  k] 

12 

SENd(s,  [i,  TO,  (EXTEND ED}fe]) 

13 

end  if 

14 

else  if  3m>o[q,n,s,m,k]  G  T  then 

>  In  and  out  links  created 

15 

SENd(s,  [i,m,{p}-k]) 

16 

else  if  [s,  to,  q,  n,  k]  G  T)  then 

i>  In  and  out  links  created 

17 

SENd(s,  [i,m,{p}k]) 

18 

else 

19 

if  3k(zkeysP  =  {CREATE}fe  then 

>  New  link 

20 

T  =  T  +  [q,n,  —1,  k] 

21 

SEND(g,  [i,  n,  CREATED]) 

22 

end  if 

23 

end  if 

24 

end  procedure 

In  our  model,  all  messages  are  sent  along  links  of  a  circuit;  these  messages  are  all  circuit-creation  messages 
and  thus  are  entirely  determined  by  the  circuit,  so  the  sender  or  receiver  of  a  given  message  corresponds 
directly  to  the  path  of  the  circuit.  Therefore,  in  order  to  prove  that  certain  actions  are  performed  anony¬ 
mously  in  the  network,  we  can  just  show  that  the  adversary  can  never  determine  this  circuit  information. 
This  is  a  possibilistic  notion  of  of  anonymity.  We  will  do  this  by  identifying  classes  of  configurations  among 
which  an  adversary  cannot  distinguish. 

Because  i  G  N  only  sees  those  messages  sent  to  and  from  i,  an  execution  of  a  configuration  C  may  appear 
the  same  to  i  as  a  similar  execution  of  another  configuration  D  that  only  differs  from  C  in  parts  of  the 
circuits  that  are  not  adjacent  to  i  and  in  circuit  identifiers  that  i  never  sees.  To  be  assured  that  i  will  never 
notice  a  difference,  we  would  like  this  to  be  true  for  all  executions  of  C  that  could  occur.  These  are  the  fair, 
cryptographic  executions  of  C,  and  likewise  the  execution  of  D  should  be  fair  and  cryptographic. 

We  will  say  that  these  configurations  are  indistinguishable  if,  for  any  fair  cryptographic  execution  of  C, 
there  exists  a  fair  cryptographic  execution  of  D  that  appears  identical  to  i,  i.e.  in  which  i  sends  and  receives 
what  appear  to  be  the  same  messages  in  the  same  order. 

Agent  I’s  power  to  distinguish  among  executions  is  weakened  by  encryption  in  two  ways.  First,  we  allow 
a  permutation  on  (user, router, position)  triples,  which  identify  the  keys  in  the  system,  to  be  applied  to  the 
keys  of  encrypted  or  decrypted  messages  in  an  execution.  This  permutation  can  map  a  key  from  any  router 
other  than  i  to  any  other  key  of  any  other  router  other  than  i,  because  i  can  only  tell  that  it  doesn’t  hold 
these  keys.  It  can  map  any  key  of  i  to  any  other  key  of  i,  because  i  doesn’t  know  for  which  users  and  circuit 
positions  its  keys  will  be  used.  Second,  i  cannot  distinguish  among  messages  encrypted  with  a  key  he  does 
not  possess,  so  we  allow  a  permutation  to  be  applied  to  control  messages  that  are  encrypted  with  a  key 
that  is  not  shared  with  i.  This  second  requirement  must  be  justified  by  the  computational  intractability  of 
distinguishing  between  encrypted  messages  with  more  than  a  negligible  probability  in  our  cryptosystem. 

Definition  5.  Define  Da  to  be  a  relation  over  configurations  that  indicates  which  configurations  are  indis- 
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tinguishable  to  A  C  TV.  For  configurations  C,C',  C  ^Da  every  fair  cryptographic  execution  a  of 

C,  there  exists  some  action  sequence  (3  such  that  the  following  conditions  hold  when  C  is  the  initial  state: 

1.  Every  action  of  [3  is  enabled,  except  possibly  for  actions  performed  by  a  member  of  A. 

2.  (3  is  fair  for  all  agents,  except  possibly  those  in  A. 

3.  /3  is  cryptographic  for  all  agents. 

4.  Let  5  be  the  subset  of  permutations  on  U  x  Rx  [1]  such  that  each  element  restricted  to  keys  involving 
a  G  A  is  a  permutation  on  those  keys.  We  apply  ^  G  5  to  the  encryption  of  a  message  sequence  by 
changing  every  list  component  {p}(u,r,i)  in  the  sequence  to 

Let  n  be  the  subset  of  permutations  on  P  such  that  for  all  tt  G  11: 

(a)  TT  is  a  permutation  on  the  set  {{p}ki,...,ki}peP 

(b)  Tr{{p}ki,...,ki,ka)  =  7r({p}fci,....fcJ,  where  ka  is  shared  by  the  adversary 

We  apply  tt  G  11  to  a  message  sequence  by  changing  every  message  {p}ki,...,ki  in  the  message  sequence 
to  '!T{{p}k^,...,ki)- 

Then  there  must  exist  ^  G  5  and  tt  G  11  that  such  that  applying  ^  and  tt  to  the  subsequence  of  a 
corresponding  to  actions  of  A  yields  the  subsequence  of  [3  corresponding  to  actions  of  A. 

If  C  ^Da  i'hat  C  is  indistinguishable  from  C'  to  A.  It  is  clear  that  an  indistinguishability 

relation  is  reflexive  and  transitive. 

3.5  Anonymity  and  Unlinkability 

The  sender  in  this  model  corresponds  to  the  user  of  a  circuit,  the  receiver  to  the  last  router  of  the  circuit, 
and  the  messages  we  wish  to  communicate  anonymously  are  just  the  circuit  control  messages.  The  circuit 
identifiers  allow  the  adversary  to  link  together  all  the  messages  initiated  by  a  user  and  attribute  them  to  a 
single  source.  Therefore  sender  anonymity  is  provided  to  u  if  the  adversary  can’t  determine  which  circuit 
identifier  u  is  using.  Similarly,  receiver  anonymity  is  provided  to  r  for  messages  from  u  if  the  adversary  can’t 
determine  the  destination  of  the  circuit  with  u’s  identifier.  Also,  unlinkability  is  provided  to  u  and  r  if  the 
adversary  can’t  determine  m’s  destination. 

Definition  6.  User  u  has  sender  anonymity  in  configuration  C  with  respect  to  adversary  A  if  there  exists 
some  indistinguishable  configuration  C  in  which  u  uses  a  different  circuit  identifier. 

Definition  7.  Router  r  has  receiver  anonymity  on  user  u’s  circuit,  in  configuration  C,  and  with  respect  to 
adversary  A,  if  there  exists  some  indistinguishable  configuration  C  in  which  a  user  with  m’s  circuit  identifier, 
if  one  exists,  has  a  destination  other  than  r. 

Definition  8.  User  u  and  router  r  are  unlinkahle  in  configuration  C  if  there  exists  some  indistinguishable 
configuration  C  in  which  the  destination  of  u  is  not  r. 


4  Indistinguishable  Configurations 

Now  we  will  show  that  sometimes  the  adversary  cannot  determine  the  path  or  identifier  of  a  circuit.  More 
specifically,  an  adversary  can  only  determine  which  user  or  router  occupies  a  given  position  in  a  circuit  when 
the  adversary  controls  it  or  a  router  adjacent  to  it  on  that  circuit.  Also,  when  the  adversary  controls  no  part 
of  a  circuit  it  cannot  determine  its  identifier.  In  what  follows,  let  C  be  some  configuration. 
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4.1  Message  Sequences 

To  start,  we  observe  that,  in  spite  of  the  arbitrary  actions  of  the  adversary,  the  actions  of  the  uncompromised 
users  and  routers  are  very  structured.  The  protocol  followed  by  the  user  and  router  automata  defines  a  simple 
sequence  of  message  sends  and  receives  for  every  circuit.  A  user  or  router  will  only  send  messages  from  the 
part  of  such  a  sequence  consisting  of  its  actions. 

The  user  automaton  gives  this  subsequence  for  users.  It  consists  of  messages  between  the  user  and  the 
first  router  on  its  circuit,  and  is  parameterized  by  the  user  and  the  system  configuration.  We  will  refer  to 
this  sequence  as  ajj  (u,  C) .  We  denote  the  number  of  occurrences  of  the  tth  router  in  the  first  i  routers  of 
m’s  circuit  c  by  h{c,i).  For  convenience,  we  define  the  function  k{u,C,i)  =  {u,Ci{u),h{C{u),i)),  which  is 
the  key  shared  between  u  and  its  zth  router  in  C.  Since  the  user  automaton  ignores  the  circuit  identifier  on 
received  messages,  we  use  an  asterisk  to  indicate  that  any  value  is  valid.  Let  (Tu{u,  C)  be: 


Step 

From 

To 

Message 

1 

u 

Ci{u) 

[Q+i(u),0,{CREATE}fe(,,c.i)] 

2 

Cliu) 

U 

[*,0,  CREATED] 

3 

u 

Ci{u) 

[Q+i(u),  0,  {[EXTEND,  C2(u),  {CREATE}fe(„,c.2)]}fc(„.c.i)] 

4 

Ci{u) 

U 

[*,0,{EXTENDED}fe(„,c.i)] 

l  +  2i 

U 

Ci{u) 

[C'i+i('u),  0,  {[EXTEND,  Ci+i{u),  {CREATE}fc(„^C'_i+i)]}fe(„_C',i),...,fc(M.c.i)] 

2  “h  2i 

Ci{u) 

U 

[*,  0,  {EXTEND ED}fc(i, 

2  <i  <l 

Lemma  1.  A  user  u  is  enabled  to  send  a  message  in  an  action  sequence  under  configuration  C  iff  the 
following  conditions  are  satisfied: 

1.  The  send  appears  in  au{u,C). 

2.  The  prefix  of  auiu,C)  ending  before  the  send  has  appeared  in  the  sequence. 

3.  This  prefix  is  the  longest  such  prefix  to  appear. 

□ 

Similarly,  the  router  automaton  defines  the  action  sequence  that  a  router  performs  during  the  creation  of 
a  circuit.  A  different  sequence  exists  for  every  router  r,  user  u,  circuit  position  1  <  i  <  I,  system  configuration 
C,  and  link  identifiers  m,n,p  €  N.  We  will  denote  a  particular  sequence  crji{r,C\u,i,'m,n).  Frequently  we 
will  drop  parameters  that  we  don’t  care  about,  for  example,  referring  to  anfr,C,u,i)  when  the  specific  link 
identifiers  don’t  matter,  and  may  abuse  this  notation  by  treating  it  as  one  sequence  rather  than  a  family  of 


sequences. 

Step 

We  use  k{' 
From 

u,  C,  i)  as 
To 

before.  The  sequence  (TR{r,C,u,i,‘ni,n)  is: 

Message 

1 

C_i(m) 

r 

[jij  {CREATE}fc(„_c'_j)] 

2 

r 

C_i(u) 

[ji,n,  CREATED] 

3 

C_i(u) 

r 

b2)  n,  {[EXTEND,  Ci+i{u),  {CREATE}fc(„  c"  i_i_i)]}fc(„  C’  ^] 

4 

r 

C+i(m) 

b2,  m,  {CREATE}fe(„_c'.i+i)] 

5 

Ci+i{u) 

r 

ba,  CREATED] 

6 

r 

C_i(u) 

bs)  {EXTENDED}fe(„_r,i)] 

Using  the  cr^  sequences,  we  can  characterize  which  messages  a  router  can  send  at  any  point  in  an  action 
sequence.  Let  a  be  a  finite  execution,  and  Ti  be  the  length  i  prefix  of  some  sequence  a  G  OR{r).  We  say 
that  Ti  has  occurred  in  a  if,  by  the  end  of  the  sequence,  r  has  performed  the  first  i  steps  in  cr.  This  happens 
when  Ti  is  the  longest  prefix  of  a  that  appears  as  a  subsequence  of  a,  and,  at  the  point  at  which  step  1  (4) 
occurs  in  a,  n  (to)  must  be  the  smallest  number  not  yet  in  r’s  table  as  an  entry  to  or  from  Ci-i  (ci+i),  the 
router  that  sent  (received)  the  message  in  step  1  (4). 

Lemma  2.  For  r  to  be  enabled  to  send  a  message  p,  at  the  end  of  a,  one  of  three  cases  must  apply  for  some 
cr  G  crfl(r); 
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1.  The  message  is  part  of  the  circuit  building  protocol.  Sending  p,  is  the  step  in  a,  1  <  z  <  3.  Then 

T2i-i  must  occur  in  a  and  T2i  must  occur  in  the  execution  created  when  p  is  appended  to  a. 

2.  The  message  is  a  forward  up  the  circuit,  p  =  [m,p].  r  is  to  be  sending  p  to  Cj+i.  a  has  occurred  in  a. 
The  link  identifiers  to  Ci-i  and  q+i  are  n  and  m,  respectively,  a  contains  the  action  of  the  message 
[n,p]  being  sent  to  r  from  Ci_i  after  a  occurs.  Also,  the  number  of  such  receives  from  Ci_i  is  greater 
than  the  number  of  sends  of  p  to  q+i  that  happen  after  a  occurs. 

3.  The  message  is  a  forward  down  the  circuit,  p  =  [n,p\.  r  is  to  be  sending  p  to  Ci_i.  a  has  occurred  in 
a.  The  link  identifiers  to  Ci-i  and  Ci+i  are  n  and  m,  respectively,  a  contains  the  action  of  the  message 
[m,p]  being  sent  to  r  from  q+i  after  a  occurs.  Also,  the  number  of  such  receives  from  cz+i  is  greater 
than  the  number  of  sends  of  p  to  Ci-i  that  happen  after  a  occurs. 


□ 

We  can  use  these  lemmas  to  partition  the  actions  performed  by  an  agent  in  an  execution  of  configuration 
C.  We  will  use  these  partitions  to  construct  executions  of  indistinguishable  configurations  and  prove  that 
they  satisfy  the  requirements  of  Definition  5. 

For  a  user  u  we  create  two  partitions.  The  first  is  formed  by  the  maximal  prefix  of  uu{u,  C)  such  that  each 
receive  in  the  partition  causes  the  b  variable  of  u’s  state  to  be  incremented.  The  condition  on  the  receives 
is  required  for  a  unique  maximal  prefix  to  deal  with  the  case  that  an  adversary  sends  sequence  responses 
multiple  times.  The  second  partition  is  formed  from  all  of  zz’s  other  actions.  By  Lemma  1  this  is  composed 
of  receiving  unnecessary  messages  due  to  adversarial  actions,  and  we  will  call  this  the  “junk”  partition. 

For  a  router  r,  we  create  a  partition  for  each  entry  in  its  routing  table  at  any  point  in  the  execution  and 
an  extra  junk  partition.  For  a  given  routing  table  entry  we  create  a  partition  out  of  the  maximum-length 
subsequence  of  some  (JR{r)  sequence,  say,  cr,  such  that  each  receive  modifies  the  same  entry  in  the  routing 
table.  We  also  include  every  send  and  receive  of  a  forward  performed  using  that  entry.  This  partition  is  said 
to  be  associated  with  a.  Every  other  action  done  by  the  router  is  put  in  a  junk  partition,  and,  by  Lemma 
2,  this  partition  is  composed  only  of  receives. 

4.2  Indistinguishable  Users 

Now  we  prove  that  an  active  adversary  cannot  determine  which  user  creates  a  given  circuit  unless  the 
first  router  on  that  circuit  is  controlled  by  the  adversary  or  the  owners  of  all  the  other  circuits  have  been 
determined.  That  is,  an  adversary  cannot  distinguish  between  a  configuration  C  and  the  configuration  C 
that  is  identical  to  C  except  for  two  circuits  with  uncompromised  first  routers  that  are  switched  between 
their  owners.  In  order  to  do  so,  we  must  show  that,  for  any  fair,  cryptographic  execution  of  C,  there  exists 
some  action  sequence  of  C  satisfying  the  indistinguishability  requirements  of  Definition  5.  To  do  so,  we 
simply  swap  between  the  switched  users  the  messages  that  pass  between  them  and  the  first  routers  on  their 
circuits  and  switch  the  encryption  keys  of  these  messages. 

Theorem  1.  Say  there  are  two  distinct  users,  u,  v,  such  that  neither  they  nor  the  first  routers  in  their 
circuits  are  compromised  (that  is,  in  A).  Let  C  be  identical  to  C  except  the  circuits  of  users  u  and  v  are 
switched.  C  is  indistinguishable  from  C  to  A. 

Proof.  Let  a  be  a  fair,  cryptographic  execution  of  C.  To  create  a  possible  execution  of  C',  first  construct 
a'  by  replacing  any  message  sent  or  received  between  u  (v)  and  C'i(m)  (C'i(z;))  in  a  with  a  message  sent  or 
received  between  v  (u)  and  Ci(u)  (Ci(v)).  Then  let  f  be  the  permutation  that  sends  u  to  v  and  v  to  u  and 

other  users  to  themselves.  Create  (3  by  applying  f  to  the  encryption  keys  of  a'. 

1.  Every  action  by  an  agent  in  N  \  A  in  (3  is  enabled.  It  is  easy  to  see  that  all  receives  are  enabled  in  (3 

since  sends  and  corresponding  receives  are  modified  together. 

For  any  user  w  {u,  u},  all  messages  in  ajj^w,  C)  go  to  or  from  w,  so  none  are  added  or  removed  from 
a  in  a' .  Also  none  of  the  messages  in  this  sequence  would  be  modified  by  f  because  they  are  encrypted 


with  a  key  of  w,  and  ^  doesn’t  convert  messages  in  a'  to  be  messages  of  au{w,C).  Therefore  if  a 
message  is  enabled  to  be  sent  from  ic  in  /3  it  was  enabled  in  a. 

For  user  u,  when  u  sends  a  message  to  Ci(v)  in  /?,  it  corresponds  to  v  sending  a  message  to  Ci{v) 
in  Of.  is  enabled  to  do  so  in  a  so  at  that  point  it  has  sent  and  received  exactly  those  messages  of 
au(v,C)  necessary  to  enable  that  send.  In  /3  we  have  changed  those  messages  to  be  messages  between 
u  and  Ci{v)  while  modifying  the  encryption  keys,  so  the  necessary  au{u,C')  messages  have  appeared 
to  enable  the  send.  No  additional  messages  in  (Ju{u,  C)  could  have  appeared  in  [3  since  u  and  v  do  not 
communicate  on  link  identifier  0  in  a.  Therefore  u  is  enabled  to  send  the  message.  A  similar  argument 
works  for  v. 

For  a  router  r  ^  AU  {Ci(u),  C'i(u)},  the  only  change  in  messages  to  or  from  r  between  a  and  (3  is  from 
the  permutation  ^  applied  to  the  encryption  keys  of  the  messages.  Applying  ^  preserves  the  occurrence 
of  some  prefix  of  aii{r,C\w)  at  any  point  in  the  execution,  for  any  w  ^  {u,v}.  For  w  =  u,  applying 
^  turns  the  occurrence  of  some  (7,  u)  into  an  occurrence  of  C ,  v),  and  vice  versa  for  w  =  v. 
It  also  preserves  the  appearance  of  messages  to  forward  and  the  actual  forwarding.  Thus  any  action 
performed  by  r  in  /?  is  enabled  because  it  corresponds  to  a  similar  enabled  action  in  a. 

Now  consider  a  message  /i  sent  from  C'i(u)  in  (3. 

It  may  be  that  /i  is  part  of  a  (7[i{Ci{u),C,w)  sequence  for  some  w  ^  {w,u}  in  a.  Then  /i  is  enabled 
in  f3  since  none  of  the  messages  in  afi{Ci(u),C,w)  come  from  u  or  v  and  none  involve  m  or  ri  in  the 
encryption  keys,  so  all  exist  in  (3  that  did  in  a  and  no  additional  ones  do.  It  could  also  be  that,  in  a, 
fiisa,  forward  in  some  circuit  not  belonging  to  u  or  v.  Then  /i  is  still  enabled  in  f3  for  a  similar  reason, 
recognizing  that  although  it  might  involve  the  encryption  keys  of  u  or  v,  the  content  of  messages  is 
ignored  in  forwards. 

Another  case  is  that,  in  a,  /x  is  part  of  some  (tr{Ci{u),  C,  u,  i).  Then  in  f3,  /i  is  part  of  aii{Ci{u),  C ,  v,  i). 
This  is  because  every  message  from  u  to  C'i(u)  is  changed  to  a  message  from  v  to  Ci(u)  and  every 
encryption  key  involving  u  changes  to  one  involving  v.  It  is  clear  that  consistently  replacing  the  user 
in  the  encryption  keys  in  a  c/j  sequence  and  (when  z  =  1)  the  previous  hop  from  u  to  v,  as  is  done 
to  create  /3,  transforms  a  aii{Ci{u),C,u,i)  sequence  into  a  aii{Ci{u),C' ,v,i)  sequence.  No  additional 
messages  can  enter  into  this  sequence  in  (3  because  they  must  be  encrypted  with  a  key  of  v,  and 
any  such  message  will  have  appeared  with  a  key  of  zz  in  a  and  will  have  filled  the  same  spot  in  the 
o’iz(C'i('w),  C,  u,  i)  sequence  there.  Thus  /i  is  enabled  in  (3.  Also,  for  similar  reasons,  if  /x  is  a  forward  in 
zx’s  circuit  in  a,  then  it  is  a  forward  for  v’s  circuit  in  l3. 

The  final  case  is  when,  in  a,  /x  is  in  a  aR{Ci{u),C,v)  sequence  or  is  a  forward  on  z;’s  circuit.  Since  v 
does  not  communicate  directly  with  Ci(zi)  as  a  user  in  a,  it  must  be  that  C'i(zx)  is  some  intermediate 
router.  Then  the  only  changes  to  the  aii{Ci{u),  C,  v)  messages  in  a  are  the  encryption  keys,  which  are 
applied  consistently  to  all  the  sequence  messages  and  are  not  interfered  with  by  messages  in  a  already 
using  the  target  keys  since  they  are  also  modified.  Therefore  if  ^  corresponds  to  a  ct_r(C'i(xx),  C,  v)  send 
in  a,  it  is  a  (7ix(C'i(zx),  C",  zx)  message  enabled  in  (3.  Also,  for  similar  reasons,  if  /x  was  a  foward  in  v’s 
circuit  in  a,  it  is  an  enabled  forward  on  zx’s  circuit  in  f3. 

A  similar  argument  works  for  Ci{v). 

2.  (3  is  fair  for  agents  in  N  \  A. 

For  any  user  w  ^  {zx,z;},  every  au(w,C')  message  received  in  (3  in  its  non-junk  partition  is  the  same 
message  in  a.  Therefore  every  send  w  is  enabled  to  perform  in  (3  it  is  enabled  to  perform  in  a.  Since 
a  is  fair  for  w  so  is  (3. 

Now  consider  zx.  The  transformation  properly  changes  the  messages  from  Ci{v)  to  v  in  au{u,C)  to 
messages  sent  to  zx  that  are  in  the  same  position  in  the  au{u^C')  sequence.  No  extra  messages  can 
appear  since  they  must  be  encrypted  using  zx’s  keys,  and  then  they  would  have  been  encoded  with  w’s 
keys  in  a  and  been  part  of  the  au{v,C)  sequence  there.  Therefore  every  send  that  zx  is  enabled  to 
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perform  in  (3,  v  is  enabled  to  perform  in  a.  Since  a  is  fair  for  v,  then  /3  is  fair  for  u.  A  similar  argument 
works  for  v. 

For  router  r  ^  A  U  {Ci('u),  C'i(u)}  to  be  enabled  to  perform  a  send  in  (3  but  not  a,  there  must  be  a 
message  in  some  sequence  that  r  receives  in  (3  but  doesn’t  in  the  corresponding  sequence 

in  a.  This  cannot  be  for  any  w  ^  {u,  w},  since  the  messages  in  this  an  are  not  modified,  except  possibly 
the  content  of  forwards  which  doesn’t  affect  their  validity.  All  messages  in  (3  that  are  to  r  and  are 
in  some  aR{r,C' ,u)  are  also  are  sent  to  r  in  a  and  are  part  of  some  aR{r,C',v).  Therefore  if  such  a 
message  enables  r  to  send  something  in  (3  there  exists  a  similar  message  enabling  r  to  send  something 
in  a.  Also  forwards  along  u’s  circuit  in  f3  exist  as  forwards  along  v's  circuit  in  a.  A  similar  argument 
works  for  messages  of  some  sequence  (JR{r,  C ,v). 

For  C'i(u)  to  be  enabled  to  perform  a  send  in  j3  but  not  a,  there  must  be  a  message  in  some  sequence 
f^R{Ci{u),C' ,w)  or  forward  that  C'i(u)  receives  in  [3  but  doesn’t  in  a.  There  can  not  be  such  a 
message  in  the  <jr{Ci{u),C' ,w)  sequence  for  any  w  ^  {■«,«},  since  the  messages  in  this  sequence  are 
not  modified  in  the  transformation  and  no  new  messages  encrypted  with  re’s  key  are  created.  Also  the 
sender  and  recipient  of  forwards  aren’t  modified,  and  the  content  of  forwards  which  doesn’t  affect  their 
validity.  Now  suppose  w  =  v.  For  any  message  that  appears  at  the  end  of  some  aR{Ci{u),C' ,v,i)  in 
(3  that  C'i(u)  doesn’t  respond  to  there  must  not  be  an  analogous  message  in  <7R{Ci{u),C,u,i)  in  a 
or  Ci{u)  would  be  enabled  at  that  point  as  well.  But  this  message  must  be  encrypted  with  v’s  keys 
and  would  be  modified  by  the  permutation  and  thus  play  the  same  role  for  Ci(u)  in  a.  Again,  the 
content  of  forwards  doesn’t  matter  and  any  forward  on  v’s  circuit  in  (3  corresponds  to  a  forward  on  u’s 
circuit  in  a.  A  similar  argument  works  for  the  case  w  =  u.  Therefore  every  send  enabled  for  Ci(u)  in 
f3  is  enabled  in  a,  and  (3  is  fair  for  C'i(u).  A  similar  argument  works  for  Ciiy). 

3.  /3  is  cryptographic. 

We’ve  already  shown  that  uncompromised  routers  and  users  perform  enabled  actions  in  f3.  Since  the 
automatons  only  allow  sending  messages  encrypted  with  keys  the  agent  doesn’t  possess  after  receiving 
them,  the  actions  of  these  agents  do  not  prevent  l3  from  being  cryptographic.  For  a  compromised 
user  or  router,  let’s  say  a  message  encrypted  with  a  foreign  key  is  sent  before  being  received  at  least 
once.  If  the  encryption  key  doesn’t  involve  u  or  v,  then  the  same  message  gets  sent  in  a  before  being 
received,  contradicting  the  fact  that  a  is  cryptographic.  If  the  key  does  involve  u,  then  in  a  it  involves 
V,  in  which  case  if  the  message  is  received  in  a  beforehand,  it  must  have  received  it  in  f3  since  the  key 
permutation  takes  v  to  u.  Likewise  for  messages  encrypted  with  one  of  v’s  keys.  The  fact  that  a  is 
cryptographic  then  implies  that  j3  is  cryptographic. 

4.  We  can  find  a  ^  G  S  and  tt  G  11  that  turn  a  into  a  sequence  that  agrees  with  (3  in  all  the  adversary 
actions. 

^  is  simply  the  user  permutation  used  to  create  (3,  transposing  users  u  and  v,  and  tt  is  the  identity  on 
all  messages.  Applying  these  to  a  yields  a  sequence  that  agrees  with  [3  everywhere  except  for  messages 
between  u  (v)  and  Ci(u)  (Ci(v)),  which  we  assumed  are  not  adversarial. 


□ 


4.3  Indistinguishable  Routers 

Now  we  prove  that  an  adversary  cannot  determine  an  uncompromised  router  on  a  given  circuit  unless  it 
controls  the  previous  or  next  router  on  that  circuit.  More  formally,  assume  that  the  (i  —  l)st,  ith,  and 
(i  +  l)st  routers  of  a  user  u’s  circuit  in  some  configuration  C  are  not  compromised.  We  will  show  that  C  is 
indistinguishable  from  configuration  C ,  where  C  is  identical  to  C  except  the  ith  router  of  u’s  circuit  has 
been  arbitrarily  changed.  The  proof  is  similar  to  that  of  Theorem  1,  although  it  is  complicated  by  the  fact 
that  the  identities  of  routers  in  a  circuit  are  included  in  multiple  ways  in  the  circuit  creation  protocol.  Given 
an  execution  of  C,  we  identify  those  message  that  are  part  of  the  circuit  creation  sequence  of  the  modified 
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circuit  and  then  change  them  to  add  a  different  router  in  the  tth  position.  Then  we  show  that,  in  the  sense  of 
Definition  5,  from  the  adversary’s  perspective  this  sequence  is  indistinguishable  from  the  original  and  could 
be  an  execution  of  C . 

Theorem  2.  Say  there  is  some  user  u  ^  A  such  that  u’s  circuit  in  C  contains  three  consecutive  routers, 
ri_i,ri,ri+i  ^  A.  Let  C  he  equal  to  C ,  except  ri  is  replaced  with  r[  in  u ’s  circuit,  where  r[  ^  Au{ri_i,  ri+i}. 
C  is  indistinguishable  from  C  to  A.  The  same  holds  for  uncompromised  routers  (r^jr^+i)  if  they  begin  u’s 
circuit  and  are  replaced  with  (r',ri+i),  or  if  they  end  u’s  circuit  and  are  replaced  with  (ri_i,r9- 

Proof.  Let  a  be  some  fair  cryptographic  execution  of  C,  and  let  h{C{u),i)  denote  the  number  of  occur¬ 
rences  of  the  tth  router  in  the  circuit  C{u)  among  the  first  i  routers.  We  modify  a  in  steps  to  create  an 
indistinguishable  sequence  (3: 

1.  Replace  all  message  components  of  the  form  [EXTEND,  ri,  {CREATE}„  h(C{u)  i)]  with 
[EXTEND,  r',  {CREATE}„,p,;,(cq„),q]. 

2.  Consider  the  partition  of  router  r^-i’s  actions  that  are  associated  with  a  aR{ri-i,C,  u,i  —  l)  sequence. 
Replace  all  messages  in  this  partition  that  are  to  and  from  ri  with  the  same  messages  to  and  from  r'. 
Modify  the  link  identifiers  on  these  messages  so  that  they  are  the  smallest  identifiers  in  use  between 
ri_i  and  r[  at  that  point  in  a.  Increase  link  identifiers  that  are  in  use  between  rj_i  and  r'  to  make 
room  for  these  new  connections  and  decrease  link  identifiers  that  are  in  use  between  and  to  fill 
in  the  holes  created  by  the  removed  connections.  Perform  similar  modifications  for  routers  and  r^+i. 

3.  Replace  all  encryption  keys  of  the  form  {u,ri,h{C{u),i))  with  {u,r[,h{C' {u),i)).  Increment  as  neces¬ 
sary  the  third  component  of  the  encryption  keys  used  between  u  and  to  take  into  account  that 
appears  once  more  in  C'{u)  than  it  does  in  C{u).  Also  decrement  as  necessary  the  third  component  of 
the  keys  used  between  u  and  to  take  into  account  that  appears  once  less  in  C"(u)  than  it  does  in 
C{u). 

Now  we  show  that  the  action  sequence  thus  created,  /?,  is  a  fair  cryptographic  execution  of  C': 

1.  Every  action  by  an  agent  in  N  \  A  in  (3  is  enabled. 

It  is  easy  to  see  that  all  receives  are  enabled  in  (3  since  sends  and  corresponding  receives  are  modified 
together. 

Our  strategy  to  show  that  all  sends  in  f3  are  enabled  will  be  to  consider  the  separate  non-junk  partitions 
of  a  after  the  transformation.  First  we  will  show  that  no  sends  from  uncompromised  agents  appear 
in  f3  outside  of  these  transformed  partitions.  Then  we  show  that  any  given  non-junk  partition  of  a  is 
transformed  into  a  subsequence  that  is  “locally”  enabled  under  C .  A  user  (router)  action  sequence 
is  locally  enabled  if  each  send  satisfies  the  conditions  of  Lemma  1  (2)  applied  just  to  that  sequence. 
Then  we  show  that  it  is  “globally”  enabled  in  the  sense  that  the  sends  in  the  transformed  user  (router) 
partition  continue  to  satisfy  Lemma  1  or  Lemma  (2),  respectively,  when  considered  over  the  entire 
sequence  (3. 

It  is  easier  to  proceed  this  way  since  going  from  a  locally  to  globally  enabled  sequence  just  requires 
that  certain  actions  don’t  exist  in  the  larger  sequence.  For  users,  none  of  the  sends  in  the  transformed 
non-junk  partition  can  appear  again  in  the  larger  sequence  between  being  enabled  and  being  sent 
in  the  partition.  This  must  also  be  true  for  transformed  router  partitions,  and  additionally  the  link 
identifiers  used  must  be  unique  and  minimal  at  the  point  of  link  creation.  It  should  be  easy  to  see  that 
a  locally  enabled  action  sequence  satisfying  these  global  conditions  contains  only  enabled  sends  in  (3, 
via  Lemmas  1  and  2. 

The  fact  that  there  are  no  sends  from  uncompromised  agents  in  [3  outside  of  the  transformed  non-junk 
a  partitions  helps  us  prove  that  actions  are  globally  enabled.  By  inspecting  the  three  changes  made 
to  a,  it  is  clear  that  no  actions  are  added  or  deleted  from  a,  and  that  sends  (receives)  in  a  are  sends 
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(receives)  in  /3.  Since  every  send  in  a  from  an  agent  a  G  N\Ais  part  of  one  of  its  non-junk  partitions, 
every  send  by  an  uncompromised  agent  in  {3  is  part  of  one  of  the  transformed  partitions. 

We  can  use  this  to  show  that  a  given  sequence  is  globally  enabled.  If  the  sequence  is  a  locally  enabled 
transformed  user  partition,  it  is  automatically  globally  enabled  because  there  are  no  sends  outside 
the  partition  to  interfere  with  it.  Similarly,  for  locally  enabled  transformed  router  partitions,  we 
automatically  satisfy  the  send  non-inteference  property  in  /3  as  long  as  we  satisfy  the  second  requirement 
on  the  link  identifiers. 

This  second  requirement  for  routers  is  slightly  simpler  to  achieve  by  noting  that  all  CREATE  messages 
in  (3  were  transformed  from  CREATE  messages  in  a.  Therefore  we  only  need  to  show  that  the  link 
IDs  used  in  f3  are  unique  and  minimal  among  the  link  creations  in  a  after  transformation. 

For  user  v  ^  u  the  non-junk  partition  has  not  been  modified  therefore  by  Lemma  1  every  send  is  locally 
enabled  in  l3.  Therefore  every  action  by  v  is  enabled. 

Now  consider  the  user  rt’s  non-junk  partition  in  a.  We’ve  modified  steps  2i  —  +  1,  and  2i  +  2 

as  necessary  to  change  the  (Tu{u,  C)  prefix  to  a  <Ju{u,  C)  prefix.  All  these  are  enabled  by  Lemma  1  so 
this  is  locally  enabled.  No  sends  appear  outside  of  this  transformed  partition  in  (3.  Thus  the  partition 
is  globally  enabled. 

Now  consider  a  router  r  ^  {vi-i,  Vi,  r(,  r^+i}  and  a  partition  of  r  in  a.  The  partition  consists  of  a  prefix 
of  some  (7fi{r,C)  sequence  and  possibly  some  forwards.  The  only  changes  made  to  the  partition  are 
key  relabelings  and  some  modification  of  the  messages  of  forwards.  The  relabeling  turns  the  crji{r,  C) 
prefix  into  some  aji{r,  C)  prefix  of  the  same  length,  so  sends  in  this  sequence  are  locally  enabled. 
Forwards  are  enabled  regardless  of  content,  so  they  are  also  locally  enabled.  No  link  identifiers  of  r 
have  changed,  so  they  are  still  unique  and  minimal,  so  the  whole  partition  is  globally  enabled. 

Now  consider  r^-i.  Take  some  non-junk  partition  of  a  that  is  not  associated  with  a  sequence  to 
u  as  the  {i  —  l)th  circuit  router,  that  is,  that  is  associated  with  a  j)  sequence,  w  yf 

uV  j  yf  i  —  1.  For  the  same  reasons  as  the  preceding  case,  it  is  transformed  into  a  sequence  asso¬ 
ciated  with  a  aR{ri-i,C' ,w)  sequence.  Thus  it  is  locally  enabled.  The  partition  that  is  a  prefix  of 
aR{ri-i,C,u,i  —  1)  can  be  seen  by  inspection  to  be  modified  to  be  a  locally  enabled  sequence  asso¬ 
ciated  with  ,u,i  —  1).  The  link  identifiers  used  in  every  transformed  partition  of  ri_i  are 

unique  and  minimal  in  l3  because  the  original  partitions  had  unique  and  minimal  IDs  in  a,  we  haven’t 
changed  the  IDs  or  neighbors  of  any  partitions  not  connecting  with  or  r^,  we  have  changed  the  ID 
in  partitions  connecting  with  r'  or  to  make  IDs  unique  and  minimal  after  changing  a  partition  to 
connect  with  r[  instead  of  r^.  Thus  the  whole  sequence  is  globally  enabled.  Similar  arguments  work 
for  Ti+i,  n  and  r'. 

2.  j3  is  fair  for  agents  in  N\  A. 

To  show  this  we  will  again  consider  the  transformed  partitions  of  a.  We  have  shown  that  they  form 
enabled  sequences,  and  now  need  to  show  that  no  messages  from  the  transformed  junk  partition  belong 
in  these  sequences.  For  users,  this  means  that  the  next  step  in  a  transformed  ajj  partition  isn’t  received. 
For  routers,  it  means  that  the  next  step  in  a  transformed  an  partition  isn’t  received,  no  new  forwards 
on  a  created  circuit  are  received,  and  that  no  new  valid  CREATE  messages  are  received. 

Consider  a  user  w  ^  u.  Every  receive  action  hy  w  in  (3  is  from  a  receive  action  by  w  in  a.  The  messages 
of  w’s  receives  are  never  modified  to  use  one  of  w’s  keys,  so  a  message  encrypted  with  w’s  keys  in  l3 
uses  the  same  keys  in  a.  Also  the  content  of  an  encrypted  message  is  never  changed  to  be  a  message 
that  appears  in  auiw,  C').  Therefore  any  receive  that  is  a  step  of  (tu{w,  C)  in  (3  is  the  same  step  in 
auiw,C)  in  a.  Therefore  (3  is  fair  for  w. 

Consider  user  u.  As  shown,  the  transformed  non-junk  partition  in  a  is  a  locally  enabled  sequence  in  f3. 
For  u  to  have  an  unperformed  enabled  action  in  /?,  the  next  message  in  the  ajj  (u,  C)  sequence  must 
come  from  the  junk  sequence  and  be  unanswered.  All  the  receives  that  are  the  same  between  au{u,  C) 
and  au{u,C')  are  left  unchanged  in  /3,  so  one  of  these  cannot  be  the  unanswered  step.  The  received 
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mesages  that  are  different  between  au{u,  C)  and  (Tu{u,  C)  are  in  steps  (2  +  2j),  i  <  j  <  1.  These  only 
differ  in  the  encryption  keys  in  such  a  way  that  the  transformation  applied  to  a  takes  every  (2  +  2j)th 
step  in  ai/{u,  C)  to  the  (2  +  2j)th  step  in  au{u,  C').  Thus  an  enabling  receive  in  j3  is  such  a  receive  in 
a.  Therefore  (3  is  fair  for  u. 

Now  consider  a  router  r  ^  {ri_i, r,, r', ri+i}.  For  a  given  transformed  partition,  no  new  messages  of 
the  associated  cr/f(r)  sequence  can  appear  in  /?  since  OR{r)  messages  are  all  encrypted  for  r  and  we 
have  created  no  such  messages  nor  modified  their  content  in  such  a  way  as  to  create  a  new  message  in 
the  cr/j(r)  sequence.  For  forwards,  first  we  recognize  that  the  transformation  maintains  source  and  link 
ID  consistency  for  r  in  the  sense  that  if  we  were  to  group  r’s  receives  in  a  by  their  source  and  link  ID 
the  transformed  groups  would  be  the  same  as  the  same  groups  created  in  /3.  Therefore  for  an  incoming 
message  to  be  transformed  into  a  forward  on  a  created  circuit,  it  must  previously  be  sent  with  the  link 
identifiers  of  the  incoming  link,  but  since  content  in  forwards  doesn’t  matter,  this  would  be  a  forward 
in  a  as  well.  Finally  there  are  no  valid  CREATE  messages  received  in  (3  that  aren’t  received  in  a.  No 
new  messages  are  sent  to  r,  no  messages  are  transformed  into  a  CREATE,  no  keys  have  been  modified 
to  belong  to  r,  and  r’s  link  IDs  have  been  consistently  changed.  Therefore  /?  is  fair  for  r. 

Now  consider  ri_i.  For  a  transformed  partition  of  ri_i  say  that  some  receive  extends  the  associated 
aji{ri-i)  or  acts  as  a  forward  on  the  created  circuit.  This  receive  must  be  from  the  junk  partition  of 
Ti-i  since  we  have  shown  its  that  non-junk  partitions  form  enabled  sequences.  This  message  can’t  be 
from  a  router  not  in  {vi,  r'}  because  all  such  messages  existed  in  a  with  the  same  link  ID,  source,  and 
destination,  and  the  content  is  either  the  same  or  is  a  forward,  which  would  still  be  a  forward  in  a.  It 
can’t  come  from  r^.  This  router  is  uncompromised  and  therefore  properly  uses  link  identifiers.  If  the 
message  were  to  be  part  of  the  associated  cr/f(ri_i)  sequence,  it  would  exist  in  a  with  an  ID  identical 
to  that  in  use  by  Vi-i  and  ri  in  the  sequence  and  with  the  same  content,  so  this  can’t  be  the  case.  If 
the  message  were  to  be  a  forward,  again  it  would  exist  in  a  with  a  link  ID  in  use  between  r^-i  and 
in  the  partition,  and  would  therefore  be  a  forward  in  a  as  well.  Similar  arguments  work  for  messages 
from  r\.  Finally,  no  new  partitions  can  be  created,  since  CREATE  messages  to  on  unique  link 
IDs  in  (3  are  the  same  in  a.  Therefore,  (3  is  fair  for  ri_i.  Similar  arguments  work  for  Vi^i. 

Now  consider  r^.  Because  only  link  identifiers  to  and  r^+i  have  been  changed,  and  those  routers  are 
uncompromised,  all  messages  in  [3  to  from  a  given  router  and  with  a  given  link  ID  are  transformed 
from  all  message  in  a  from  the  same  router  and  of  a  given  (possibly  different)  link  ID.  Thus  for  a 
message  receive  to  act  as  the  next  step  in  the  associated  <JR{ri)  or  to  act  as  a  new  forward,  it  must 
have  been  sent  in  a  on  the  link  ID  in  a  of  that  partition.  Since  messages  aren’t  redirected  to  and 
senders  aren’t  changed  it  must  have  been  sent  in  a  by  the  same  sender.  Since  content  doesn’t  change  in 
the  <JR{ri)  messages  and  doesn’t  matter  in  forwards  this  message  would  perform  the  same  function  in 
a,  contradicting  the  fairness  of  a.  No  new  partitions  can  be  created  because  new  CREATE  messages 
aren’t  made  by  the  transformation,  senders  are  the  same,  and  link  identifiers  are  renumbered  in  such 
a  way  that  distinct  link  IDs  from  a  router  in  a  are  distinct  in  f3.  Therefore  f3  is  fair  for  r^. 

A  similar  argument  works  for  r[  over  its  partitions  in  a,  but  we  do  reassign  a  partition  of  to  r[, 
which  we  must  also  consider.  Notice  that  the  messages  redirected  to  r'  exist  on  unique  link  IDs  in 
(3  with  ri_i  and  ri+i  in  l3.  Therefore  these  cannot  enable  actions  on  the  other  transformed  parti¬ 
tions,  and  vice  versa.  Also  no  junk  messages  of  can  enable  actions  in  this  transformed  partition 
because  the  connecting  routers,  Vi-i  and  r^+i,  are  uncompromised  and  will  have  sent  these  messages 
on  a  link  ID  that  is  different  from  the  ID  of  the  transformed  new  partition  in  f3.  Finally,  we  show 
that  the  only  valid  CREATE  messages  received  by  r'  in  (3  are  those  in  transformed  partitions  of  a. 
Every  CREATE  in  /3  is  a  CREATE  in  a.  Every  valid  CREATE  to  r'  in  a  becomes  a  valid  CREATE 
in  (3  because  it  is  part  of  a  transformed  partition  and  we  have  shown  that  these  become  enabled  se¬ 
quences.  The  only  messages  redirected  to  r'  belong  to  r^’s  reassigned  partition,  which  forms  a  fair 
sequence  in  a  and  maintains  this  after  transformation.  The  final  possibility  for  a  new  CREATE  is  a 
CREATE  message  from  r'’s  junk  partition  that  was  sent  to  r'  in  a  but  was  encrypted  with  a  key  of 
ri,  which  then  gets  changed  in  the  transformation.  The  only  such  message  is  {CREATE}^ 
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Only  ri_i  could  send  this  message  in  a.  It  would  only  do  this  if  it  were  to  receive  the  message 
{EXTEND,  r',  {CREATE}„_r._^(C(„),j)}„,ri_i,ft(C(«).i-i).  which  u  never  sends  in  a.  Again  by  the  cryp¬ 
tographic  property  of  a  never  sends  this  CREATE  to  r'  in  a.  Thus  no  valid  CREATE  messages 
are  received  by  r'  in  /3  that  are  not  transformed  from  partitions  in  a,  which  we  have  shown  are  fair. 
Therefore  /3  is  fair  for  r'. 

3.  /3  is  cryptographic. 

For  uncompromised  routers  the  fact  that  all  sends  are  enabled  in  (3  guarantees  cryptographic  sends 
since  the  protocol  ensures  this  property.  Compromised  routers  send  and  receive  all  the  same  messages, 
but  to  which  the  transformation  function  has  been  applied.  Therefore  since  a  is  cryptographic,  f3  is. 

4.  We  can  find  key  and  message  permutations  that  turn  (3  into  a  sequence  that  agrees  with  a  in  all 
adversary  actions. 

No  messages  are  redirected  towards  or  away  from  a  G  A  when  constructing  (3.  We  apply  the  message 
permutation  to  /?  of  transposing  {[EXTEND,  r',  {CREATE}„_r',/i(C'(«),i)]}fci. 

{[EXTEND, ri,{CREATE}„_ri,/i(C(ti).i)]}fci,...,fcj)  1  <  J  <  ^  where  kj  isn’t  shared  by  the  adversary. 
We  also  apply  the  key  permutation  that  sends  {u,r^,h{C'{u),i))  to  {u,ri,h{C{u),i))  and  undoes  the 
renumbering  of  the  r'  and  ri  keys.  Then  the  subsequence  of  actions  by  s  in  /3  is  identical  to  the 
subsequence  in  a. 

□ 

4.4  Indistinguishable  Identifiers 

Theorem  3.  Say  there  is  some  uncompromised  user  u  such  that  all  routers  in  C{u)  are  uncompromised. 
Then  let  C  he  a  configuration  that  is  identical  to  C ,  except  that  u  uses  a  different  circuit  identifier.  C  is 
indistinguishable  from  C  to  A. 

Proof.  Let  a  be  a  fair,  cryptographic  execution  of  C.  To  create  [3,  simply  change  every  occurrence  of  u’s 
circuit  identifier  in  C  (C';+i(m))  to  its  identifier  in  C .  (3  is  enabled,  fair,  and  cryptographic  for  C'  because  no 
message  containing  Ci+i{u)  gets  sent  to  the  adversary  in  a  and  the  protocol  itself  ignores  circuit  identifiers 
except  to  forward  them  on.  It  appears  the  same  to  A  for  the  same  reason.  □ 


4.5  Distinguishable  Configurations 

It  is  easy  to  see  that  the  relation  Da,  when  restricted  to  the  transitive  closure  of  pairs  that  are  indistin¬ 
guishable  by  Theorems  1,  2,  and  3,  is  symmetric  and  therefore  forms  an  equivalence  relation.  We  introduce 
some  notation  to  conveniently  refer  to  such  configurations. 

Definition  9.  For  configurations  C  and  D,  we  say  that  C  ~Da  D  if  C  and  D  are  related  by  a  chain  of 
configurations  that  are  indistinguishable  by  Theorems  1,  2,  and  3. 

We  can  easily  tell  which  configurations  are  in  the  same  equivalence  class  using  the  following  function. 
It  reduces  a  circuit  to  an  identifier,  the  compromised  positions,  and  the  positions  adjacent  to  compromised 
positions. 

Definition  10.  Let  p  :  U  x  N^'  x  N+  x  V{N)  ^  N  x  'P{N  x  N+)  be: 


J  (c;+i,{(r, f)  G  N  X  N+|ci  =  r  A  (ci_i  G  Ay  a  G  Ay  a+i  G  A)})  if  Ci  G  A  for  some  i 
\  (0,0)  otherwise 


In  the  preceding  let  Cq  refer  to  u. 

We  overload  this  notation  and  use  p{C)  to  refer  to  the  multiset  formed  from  the  circuits  of  configuration 
C  adjoined  with  their  user  and  reduced  by  p.  That  is,  p{C)  =  {p{u,C{u),  A)\u  G  U}.  It  is  not  hard  to  see 
that  p  captures  the  indistinguishable  features  of  a  configuration  according  to  Theorems  1,  2,  and  3. 
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Proposition  1.  Let  C  and  D  he  configurations.  C  ~d a  ^  if  and  only  if  p{C)  =  p{D). 

Now  we  show  that  the  equivalence  relation  is  in  fact  the  entire  indistinguishability  relation  and  that 
Theorems  1,  2,  and  3  characterize  which  configurations  are  indistinguishable.  The  reason  for  this  is  that 
an  adversary  can  easily  determine  which  entries  in  the  compromised  routers  belong  to  the  same  circuits 
and  what  positions  they  hold  in  those  circuits.  The  adversary  links  together  entries  in  its  routers  by  using 
the  circuit  identifiers  that  are  uniquely  associated  with  each  circuit.  And  since  circuits  have  a  fixed  length 
compromised  routers  can  determine  their  position  in  the  circuit  by  counting  the  number  of  messages  received 
after  the  circuit  entry  is  made. 

Theorem  4.  Configurations  C  and  D  are  indistinguishable  only  if  C  ^Da 

Proof.  Suppose  that  C  and  D  are  not  in  the  same  equivalence  class.  Let  the  adversary  run  the  automata 
prescribed  by  the  protocol  on  the  agents  it  controls.  Let  a  be  a  fair,  cryptographic  execution  of  C  and  [3  be 
a  fair,  cryptographic  execution  of  D. 

Partition  the  adversary  actions  of  a  into  subsequences  that  share  the  same  circuit  identifier.  There  is  at 
most  one  such  partition  for  each  circuit.  Circuit  positions  that  are  created  in  the  same  partition  belong  to 
the  same  circuit.  In  each  partition  the  adversary  can  determine  the  absolute  location  of  a  circuit  position 
filled  by  a  given  compromised  agent  a  by  counting  the  total  number  of  messages  it  sees  after  the  initial 
CREATE.  Clearly  A  can  also  determine  the  agents  that  precede  and  succeed  a  on  the  circuit  and  the  circuit 
identifier  itself.  Therefore  A  can  determine  the  reduced  circuit  structure  p{C)  from  a. 

The  adversary  can  use  (3  in  the  same  way  to  determine  p{D).  By  Proposition  1,  p{C)  yf  p{D),  so  A  can 
always  distinguish  between  C  and  D.  □ 

4.6  Anonymity 

The  configurations  that  provide  sender  anonymity,  receiver  anonymity,  and  unlinkability  follow  easily  from 
Theorems  1,  2,  3,  and  4. 

Corollary  1.  User  u  has  sender  anonymity  in  configuration  C  with  respect  to  adversary  A  if  and  only  if  at 
least  one  of  the  following  cases  is  true: 

1.  u  and  C'i(m)  are  uncompromised,  and  there  exists  another  user  v  u  such  that  v  and  C'i(v)  are 
uncompromised. 

2.  u  and  Cfiu)  are  uncompromised,  for  all  i. 

□ 

Corollary  2.  Router  r  has  receiver  anonymity  on  u’s  circuit,  in  configuration  C,  and  with  respect  to  adver¬ 
sary  A  if  and  only  if  at  least  one  of  the  following  cases  is  true: 

1.  u,  r,  and  C;_i(u)  are  uncompromised,  and  there  exists  another  router  qfir  such  that  q  is  uncompro¬ 
mised. 

2.  u  and  Cfiu)  are  uncompromised,  for  all  i. 

□ 

Corollary  3.  User  u  and  router  r  are  unlinkable  in  configuration  C  with  respect  to  adversary  A  if  and  only 
if  at  least  one  of  the  following  cases  apply: 

1.  u,  r,  and  Ci-i{u)  are  uncompromised,  and  there  exists  another  router  qfir  such  that  q  is  uncompro¬ 
mised. 

2.  u  and  Ci{u)  are  uncompromised.  There  exists  another  user  v  u  such  that  v  and  Ci{v)  are  uncom¬ 
promised.  Ci{v)  yf  r,  or  C;_i(v)  and  r  are  uncompromised  and  there  exists  another  router  qfir  such 
that  q  is  uncompromised. 

□ 
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4.7  Model  Changes 

We  chose  the  described  protocol  to  balance  two  goals.  The  first  was  to  accurately  model  the  Tor  protocol 
.  The  second  was  to  make  it  simple  so  that  it  could  be  analyzed,  and  also  so  that  the  main  ideas  of  the 
analysis  weren’t  unnecessarily  complicated.  Our  results  are  robust  to  changes  of  the  protocol,  however.  We 
can  make  the  protocol  simpler  by  removing  multiple  encryption  and  the  circuit  identifiers  without  weakening 
the  indistinguishability  results.  In  the  other  direction,  we  can  make  it  more  complicated  with  a  stream  cipher 
and  multiple  circuits  per  user  without  weakening  the  distinguishability  results. 

Multiple  encryption  is  not  necessary  for  the  distinguishability  theorems,  and  therefore  the  anonymity  and 
unlinkability  results.  Consider  a  single-encryption  protocol  in  which  the  user  only  encrypts  each  message 
with  the  key  of  the  last  router  added  to  the  circuit.  Messages  aren’t  encrypted  or  decrypted  as  they  pass  up 
and  down  a  circuit.  The  adversary  still  is  not  able  to  determine  parts  of  a  circuit  that  aren’t  adjacent  to  a 
compromised  agent.  The  proof  of  this  under  multiple  encryption  did  not  use  the  changing  representation  of 
messages  going  along  a  circuit,  and  only  relied  on  the  last  key  of  the  multiple  encryption  to  hide  the  content 
of  messages.  Single  encryption  does  allow  the  adversary  to  easily  link  entries  in  his  routers  by  sending 
messages  along  the  circuit.  This  power  is  already  available  in  our  model  from  circuit  identifiers,  though. 

The  circuit  identifiers  themselves  are  not  actually  necessary  either.  For  any  entry  in  a  compromised 
router  a,  the  adversary  can  simply  wait  until  the  circuit  is  created,  and  then  send  ka  dummy  messages  up 
the  circuit,  where  ka  is  some  number  unique  to  a.  The  first  compromised  router  up  the  circuit  will  receive 
ka  messages  that  necessarily  came  from  a  because  the  circuit-building  protocol  will  have  finished.  Linking 
entries  this  way  is  equivalent  to  using  circuit  identifiers  because  after  it  is  done  the  adversary  can  easily 
simulate  the  presence  of  circuit  identifiers  on  all  the  messages  it  receives. 

Stream  ciphers  are  used  in  the  Tor  protocol  and  prevent  signaling  along  a  circuit  using  dummy  messages. 
Sending  such  messages  will  throw  off  the  counter  by  some  routers  on  the  circuit  and  the  circuit  will  stop 
working.  We  can  model  a  stream  cipher  by  expressing  the  encryption  of  the  ith  message  p  with  key  k  as 
{p}(k,i)i  E^nd  allowing  a  different  permutation  to  be  applied  for  every  pair  (k,i).  This  can  only  increase 
the  size  of  the  configuration  indistinguishability  relation.  However,  the  proof  for  the  distinguishability  of 
configurations  only  relies  on  the  ability  of  the  adversary  to  decrypt  using  his  keys,  count  messages,  and 
recognize  the  circuit  identifier.  Therefore  it  still  holds  when  the  model  uses  a  stream  cipher.  Also,  with  a 
stream  cipher  the  circuit  identifier  is  still  not  necessary  for  our  results.  The  adversary  can  again  use  the 
process  described  above  to  link  entries  in  compromised  routers,  since  although  it  involves  sending  dummy 
messages,  they  are  sent  after  the  circuit  creation  is  finished  and  therefore  do  not  interfere  with  it. 

Allowing  users  to  create  multiple  circuits  doesn’t  weaken  the  adversary’s  power  to  link  together  its  circuit 
positions  and  determine  their  position,  but  the  number  of  configurations  that  are  consistent  with  this  view 
does  in  some  cases  increase.  Let  users  create  an  arbitrary  number  of  circuits.  The  adversary  can  still 
link  positions  and  count  messages  as  before,  so  the  adversary  can  distinguish  configurations  C  and  D  if 
p{C)  yf  p{D).  However,  Proposition  1  does  not  continue  to  hold,  as  it  is  no  longer  necessary  for  there  to  be 
more  than  just  user  u  with  an  uncompromised  first  router  to  prevent  u  from  being  identified  with  its  circuit. 
It  can,  however,  be  shown  that  the  converse  of  Theorem  4  continues  to  hold  if  we  replace  “C  ^Da  -O”  with 
“p(C)=pp).” 


5  Conclusions 

We  have  presented  a  model  of  onion  routing  and  characterized  when  anonymity  and  unlinkability  are  pro¬ 
vided.  The  model  uses  10  automata  and  provides  asynchronous  communication.  The  onion  routing  protocol 
we  describe  is  based  on  the  Tor  protocol  and  is  connection-oriented.  The  adversary  we  analyze  is  local  and 
active  in  the  sense  that  he  is  allowed  to  run  arbitrary  automata  but  is  limited  to  the  view  of  a  subset  of  users 
and  routers  that  he  controls.  We  show  that  the  adversary  can  determine  when  his  routers  hold  positions  in 
the  same  circuit  and  where  in  the  circuit  they  are  located,  and  only  this.  This  gives  a  simple  set  of  conditions 
for  sender  anonymity,  receiver  anonymity,  and  unlinkability,  that  basically  just  require  that  the  first  or  last 
router  in  a  circuit  is  uncompromised. 
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Two  directions  for  future  work  on  modeling  onion  routing  are  improving  the  model  and  improving  the 
analysis.  A  big  missing  piece  in  the  current  model  is  the  lack  of  time.  Timing  attacks  are  successful  in 
practice,  and  we  have  attempted  to  include  one  attack  of  this  sort  in  the  model  by  using  circuit  identifiers, 
but  this  is  just  an  approximation.  Also,  we  have  simplified  the  Tor  protocol  by  omitting  key  exchange,  circuit 
teardowns,  the  final  unencrypted  message  forward,  and  stream  management  and  congestion  control.  Adding 
some  or  all  of  these  would  bring  the  model  closer  to  reality.  Towards  improving  the  analysis,  we  have  made 
several  assumptions  about  the  cryptosystem  without  exhibiting  an  encryption  scheme  for  which  they  hold, 
and  this  should  be  done.  Also  probabilities  in  both  the  behavior  of  the  users  and  the  operation  of  system 
should  be  added  to  the  model  and  analyzed  according  to  probabilistic  definitions  of  anonymity. 
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